Microsoft claims EU compliance supremacy, but it's not that simple

The company says it is the only major US cloud services provider to offer a certain type of data protection clause in its contracts with European businesses, but the truth is that Google Apps will soon do the same

Microsoft has welcomed the recommendations of a group of EU data protection officials, claiming that their endorsement of so-called 'model clauses' shows Microsoft is the only fully compliant option for businesses wanting to use cloud services.

However, while the company's words are technically true, key rival Google is preparing to offer similar clauses in its Apps contracts soon.

Model clauses were brought in in 2010 as a way for US cloud providers to prove their compliance with European data protection law, which is much tougher than that in the US. Along with 'safe harbour' self-certifications, they provide a way of getting around the fact that the US is not on the EU's brief list of countries to which EU citizens' personal data can legally be sent.

Microsoft is so far the only major cloud service provider to adopt the model clauses in its contracts, and the company's legal chief, Brad Smith, wrote a blog post on Thursday that was presumably intended to warn European businesses off adopting Google Apps instead of Office 365.

Smith's post was a response to an opinion (PDF) published by the Article 29 working group on Tuesday. The group comprises representatives from all the EU member states' data protection watchdogs — while its recommendations are not binding, they constitute official advice to the European Commission.

"In issuing this Opinion, European regulators provided the strongest endorsement to date for the European model clauses," Smith wrote. "The clauses provide a set of formal commitments that businesses can rely on to ensure that their cloud services provider adheres to the highest standards in its operations and data processing activities. Microsoft is the only cloud services provider willing to make this commitment and to offer the European Model Clauses to our customers."

Smith went on to posit two questions: "First, is [a prospective customer's] cloud services provider willing to commit contractually to offer model clauses? Second, has their cloud services provider done the detailed work with the data protection authorities across Europe to ensure that their implementation complies with the requirements of these important regulators?"

While Smith was accurate in saying Microsoft was currently the only major US provider to have adopted model clauses, he neglected to mention that — precisely one month before — Google said it was preparing to do the same "soon".

However, Google said on Friday that it had no further update as to the timing of this happening.

The Microsoft legal chief also failed to mention another of the recommendations made by the Article 29 working group. The data protection regulators are dissatisfied with US companies' use of self-certification to show safe harbour compliance, and used their opinion this week to call for providers in that country to submit to third-party audits when getting such certifications.

"In the context of cloud computing, potential customers should look to see whether cloud services providers can provide a copy of this third party audit certificate or indeed a copy of the audit report verifying the certification," the working group said.